Posted
by
timothy
on Wednesday June 26, 2013 @11:53AM
from the top-men-are-on-it dept.

wiredmikey writes "Security response personnel at HP are 'actively working on a fix' for a potentially dangerous backdoor in older versions of its StoreOnce backup product line. The company's confirmation of what it describes as a 'potential security issue' follows the public disclosure that malicious hackers can use SSH access to perform full remote compromise of HP's StoreOnce backup systems. The SHA1 hash for the password was also published, putting pressure on HP to get a fix ready for affected customers. SecurityWeek has confirmed that it is relatively trivial to brute-force the hash to obtain the seven-character password. The HP StoreOnce product, previously known as HP D2D, provides disk backup and recovery to small- to midsize businesses, large enterprises, remote offices and cloud service providers."

So, can anybody think of a not-totally-shameful reason why HP's vendor service backdoor didn't use SSH's keypair auth? Y'know, the one where obtaining the private key just by having access to the public key baked into every unit isn't dangerously trivial?

First, this is a product that should never, ever, ever be connected to a public network. The same goes for the SAN systems, some of the older ones of which also apparently had an undocumented default password. It's still sloppy and bad practice for that to be there, but any moron who connects a storage backup system like this to a public network and gets hacked deserves what they get, doing that would be beyond stupid to the point of actually being malicious. The same also goes for similar products from

As pointed out in other comments, the reverse lookup (i.e. rainbow table) is readily available for unsalted hashes.

You make the mistake that to get a password requires brute force. People aren't stupid, they use the fastest tools available first. If google can tell you the password by simply entering the hash, then yes, it is LESS SECURE then one that is not readily available and REQUIRES brute force

it's sad to watch HP fall into ruins, but it seems that me that everything they touch turns into coal instead of gold. They used to build decent hardware. My brother owns an HP handheld from the time before the smartphone craze that had a stylus, Windows mobile (from the era when it actually used to work), a *shitload* of software and GPS. They acquired Compaq and the laptop I bought from them back in 2004 was built to last. Then they phased out all the Compaq products and the laptops they have been marketi